Greg Hudson ghudson at MIT.EDU
Wed Oct 7 12:51:44 EDT 2009

On Wed, 2009-10-07 at 12:13 -0400, Luke Howard wrote:
> >  1. If you increase the number of allowed failures in the policy,
> > locked accounts will become unlocked.
> Also, are there any interactions with pw_failcnt_interval that need to  
> be considered? (This is the time after which the bad preauthentication  
> count is reset; this is independent of pw_lockout_duration, which is  
> the period in which lockout is enforced.)
> Do these become one and the same? Does this change the semantics of  
> the lockout policy?

No, they do not become one and the same.  The lockout duration applies
if the account has already seen the allowed number of failures (i.e. the
account is locked); the failcnt interval applies otherwise.

The semantics of a static lockout policy do not change.

The interactions with a changing pw_failcnt_interval are not altered;
pw_failcnt_interval is consulted in exactly the same ways as it is

More information about the krbdev mailing list